>How are we going to parse logs that represent a single event in multiple
>lines. For example the case of qmail where for an event "an email
>send" generates multiple entries in logs. This gets more interesting when
>we have a central log collector for multiple qmail servers in the network.
This was what I was working on with Fargo's coalesce rules. Basically,
you could say something like:
take all events occurring within 3 hours of eachother that
contain a sendmail queue-ID that matches the queue-ID in
a stat=sent message and combine it with other stat=messages
that have the same message-ID.
The algorithm to do this without using tons of CPU and memory is
non-trivial but not awful. What you need to be able to do is parse
a log message into abstract values (host= queue-id= etc) and
then match for matching values of those abstract values.
(event1:queue-id == event2:queue-id) &&
(event2:message-id == event3:message-id)
Then when you've done the match you just preserve the values that
you want from any of the matched event records.
mjr.
---
Marcus J. Ranum http://www.ranum.com
Computer and Communications Security mjr@ranum.com
---------------------------------------------------------------------
To unsubscribe, e-mail: loganalysis-unsubscribe@securityfocus.com
For additional commands, e-mail: loganalysis-help@securityfocus.com
This archive was generated by hypermail 2b30 : Mon Jun 10 2002 - 14:54:37 PDT